Google has warned of a high-severity zero-day vulnerability in Chrome that is being actively exploited in the wild. The company is urging Windows users to immediately update the browser to version 103.0.5060.114 to protect themselves from a potential attack.
Tracked as CVE-2022-2294, this is a bug in the heap-based buffer overflow in WebRTC (Web Real-Time Communications). According to Bleeping Computer, who first reported this update for Chrome, the potential exploitation of this bug can range from program crashes to arbitrary code execution. If the attached achieve arbitrary code execution, they may be able to bypass security solutions and launch a more devastating exploit.
Jan Vojtesek of the Avast Threat Intelligence team reported this bug to Google on July 1st. Knowing that an exploit for the vulnerability exists in the wild, the company immediately rolled out a patch. The update should reach all users globally within a week or two. In the meantime, Google is holding off information on the vulnerability and its exploit to limit potential attacks.
Chrome usually installs an update automatically after a relaunch of the app. So if the update has reached you, you might already be running the latest version. To be absolutely sure, click on the three-dot menu in the top-right corner of your desktop screen and select Settings. Now click on About Chrome at the bottom. If you’re running version 103.0.5060.114, you’re safe. Otherwise, check for an update.
According to Google, the latest update for Chrome in the Stable Desktop channel also includes three more security fixes. External researchers contributed to two of them — CVE-2022-2296 and CVE-2022-2295 — reported in May and June, respectively. These are also high-severity vulnerabilities but there aren’t any know exploits in the wild.
This is the fourth zero-day vulnerability in Google Chrome this year
If you aren’t familiar, a zero-day vulnerability is a software vulnerability that already has an exploit in the wild before the software vendor has become aware of it or released a fix. This is the fourth such vulnerability discovered in Chrome so far in 2022. Google patched one vulnerability each in February, March, and April. Considering the potential security risks, it’s advisable to regularly check for Chrome updates and install new versions immediately.
On the topic of zero-day vulnerabilities, Google’s Project Zero team detected 58 such vulnerabilities across various products and services in 2021. That’s the highest yearly number yet, and more than twice that of 2020 when the company discovered 25 zero-day vulnerabilities.